Date: Thu, 3 Sep 2020 20:16:15 +0300 From: Or Cohen <orcohen@...oaltonetworks.com> To: oss-security@...ts.openwall.com Cc: Nadav Markus <nmarkus@...oaltonetworks.com> Subject: CVE-2020-14386: Linux kernel: af_packet.c vulnerability Hi, This is an announcement of CVE-2020-14386. I also reported the issue netdev@...r.kernel.org and I'm waiting for approval of my proposed patch. The report is as follows: ( a proposed patch and a reproducer are attached) I discovered a bug which leads to a memory corruption in (net/packet/af_packet.c). It can be exploited to gain root privileges from unprivileged processes. To create AF_PACKET sockets you need CAP_NET_RAW in your network namespace, which can be acquired by unprivileged processes on systems where unprivileged namespaces are enabled (Ubuntu, Fedora, etc). I discovered the vulnerability while auditing the 5.7 kernel sources. The bug occurs in tpacket_rcv function, when calculating the netoff variable (unsigned short), po->tp_reserve (unsigned int) is added to it which can overflow netoff so it gets a small value. macoff is calculated using: "macoff = netoff - maclen", we can control macoff so it will receive a small value (specifically, smaller then sizeof(struct virtio_net_hdr)). Later, when running the following code: ... if (do_vnet && virtio_net_hdr_from_skb(skb, h.raw + macoff - sizeof(struct virtio_net_hdr), ... If do_vnet is set, and because macoff < sizeof(struct virtio_net_hdr) a pointer to a memory area before the h.raw buffer will be sent to virtio_net_hdr_from_skb. This can lead to an out-of-bounds write of 1-10 bytes, controlled by the user. The h.raw buffer is allocated in alloc_pg_vec and it's size is controlled by the user. The stack trace is as follows at the time of the crash: ( linux v5.7 ) #0 memset_erms () at arch/x86/lib/memset_64.S:66 #1 0xffffffff831934a6 in virtio_net_hdr_from_skb (little_endian=<optimized out>, has_data_valid=<optimized out>, vlan_hlen=<optimized out>, hdr=<optimized out>, skb=<optimized out>) at ./include/linux/virtio_net.h:134 #2 tpacket_rcv (skb=0xffff8881ef539940, dev=0xffff8881de534000, pt=<optimized out>, orig_dev=<optimized out>) at net/packet/af_packet.c:2287 #3 0xffffffff82c52e47 in dev_queue_xmit_nit (skb=0xffff8881ef5391c0, dev=<optimized out>) at net/core/dev.c:2276 #4 0xffffffff82c5e3d4 in xmit_one (more=<optimized out>, txq=<optimized out>, dev=<optimized out>, skb=<optimized out>) at net/core/dev.c:3473 #5 dev_hard_start_xmit (first=0xffffc900001c0ff6, dev=0x0 <fixed_percpu_data>, txq=0xa <fixed_percpu_data+10>, ret=<optimized out>) at net/core/dev.c:3493 #6 0xffffffff82c5fc7e in __dev_queue_xmit (skb=0xffff8881ef5391c0, sb_dev=<optimized out>) at net/core/dev.c:4052 #7 0xffffffff831982d3 in packet_snd (len=65536, msg=<optimized out>, sock=<optimized out>) 0001-net-packet-fix-overflow-in-tpacket_rcv at net/packet/af_packet.c:2979 #8 packet_sendmsg (sock=<optimized out>, msg=<optimized out>, len=65536) at net/packet/af_packet.c:3004 #9 0xffffffff82be09ed in sock_sendmsg_nosec (msg=<optimized out>, sock=<optimized out>) at net/socket.c:652 #10 sock_sendmsg (sock=0xffff8881e8ff56c0, msg=0xffff8881de56fd88) at net/socket.c:672 Files attached: A proposed patch - 0001-net-packet-fix-overflow-in-tpacket_rcv.patch A reproducer for the bug - trigger_bug.c We are currently working on an exploit for getting root privileges from unprivileged context using this bug. Timeline: * 9.2.20 - Vulnerability reported to security@...nel.org and linux-distros@...openwall.org. * 9.3.20 - CVE-2020-14386 assigned. * 9.3.20 - Vulnerability reported to netdev. Or Cohen Palo Alto Networks Download attachment "0001-net-packet-fix-overflow-in-tpacket_rcv.patch" of type "application/octet-stream" (1674 bytes) Download attachment "trigger_bug.c" of type "application/octet-stream" (3809 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.